Comments for Tom's Blog

Comment on How to let DomPDF and Zend Framework play along by Marcel van Veelen

Marcel van Veelen — Tue, 09 Mar 2010 14:22:40 +0000

Great!

Works fine.

Comment on Security with Zend_AMF and Flex – Part 2: Practise by Titi

Titi — Wed, 24 Feb 2010 16:19:02 +0000

Hi Tom
I know that this blog entry is a little bit old but it’s very helpful to me. Do you know if your colleague would agree to show me his flex code ? Because it’s the hardest part for me in the authentication process with zend_amf…

Thanks a lot

Comment on How to let DomPDF and Zend Framework play along by Michael D

Michael D — Sat, 23 Jan 2010 01:31:20 +0000

@Tom Here is the html that is added to the file before the pdf header. ---------- Warning: file_put_contents(/var/www/vmnc/library/dompdf/lib/fonts/php_Times-Roman.afm) [function.file-put-contents]: failed to open stream: Permission denied in /var/www/vmnc/library/dompdf/lib/class.pdf.php on line 2354 ------------- Im not sure what that means but is enough to corrupt the file so it wont be rendered by some pdf viewers. Thanks I appreciate your help.

Comment on Unit testing your Javascript: Just Do It by Tom

Tom — Fri, 22 Jan 2010 10:50:29 +0000

Very interesting approach. I’ll have to read the post again, because after a first quick read, I didn’t fully understand how the concept works.

Thanks!

Comment on Unit testing your Javascript: Just Do It by Josh Ribakoff

Josh Ribakoff — Fri, 22 Jan 2010 10:36:21 +0000

I just started using Qunit. I was searching for an article I read the other day and came across yours. The set timeout thing is cool, but not when you have a lot of tests and the time outs add up.

Check out this post for a better way to test asynchronous code

http://www.onenaught.com/posts/85/turn-your-jquery-code-into-a-richer-unit-testable-plugin

Comment on How to let DomPDF and Zend Framework play along by Tom

Tom — Wed, 20 Jan 2010 22:52:40 +0000

Have you tried my second method? That’s a more compact approach. Of course, you lose the benefit of a layout, but I could live with that.

Could you post what you have, then maybe I can help you with fixing it.

Comment on How to let DomPDF and Zend Framework play along by Michael D

Michael D — Mon, 18 Jan 2010 05:51:58 +0000

Ive been trying your approach but I keep getting corrupted files with the html content coming before the pdf. I can disable the layout with $this->helper->layout->diableLayout(); to just get the view scipt html code but I cant figure out how to get the view in the pdfs layout content area.

Comment on Security with Zend_AMF and Flex – Part 1: Theory by Beany

Beany — Wed, 06 Jan 2010 21:22:52 +0000

Thanks for your elaboration,

This is exactly what I was thinking, I was just wondering what your take on it all was. I really like the signature idea for verification a lot

Comment on Security with Zend_AMF and Flex – Part 1: Theory by Tom

Tom — Wed, 06 Jan 2010 18:31:27 +0000

Hi,

The password should never be stored as plain text in your database. This makes it easy for a hacker to see everything. You could encrypt it via a hashing method (sha1 or md5), but that’s not good in this case, since hashing is one-way. I usually encrypt/decrypt the password in the database with AES_DECRYPT() and AES_ENCRYPT(). Both are MySQL functions, and require a salt to encrypt the password with. This salt should be known to your application, so you would have to store it somewhere in a configuration file.

As for creating new users, I honestly haven’t thought about that. My method comes from a case at work, where new users were created via a web interface that already existed. I haven’t put any thought into that part. So obviously it suffers the same flaws as a connection via Flash/flex: it can be intercepted. At the moment, I cannot think of a really safe way to register a new user, except with an SSL encrypted connection (HTTPS). But then again, if you have SSL, you won’t be needing this method.

This method is not for encrypting the data you send to the server (creating a user sends his username and password to the server). It is meant to digitally sign a request to the server, thus making sure that the data can be trusted to come from the user. A hacker will still be able to see what the user is sending to the server, but he won’t be able to tamper with the data.

Comment on Security with Zend_AMF and Flex – Part 1: Theory by Beany

Beany — Wed, 06 Jan 2010 11:35:47 +0000

Interesting solution, I have a question about the signature though.

Interesting solution, I’ve got a couple of questions though.

In order to correctly generate the signature, both parties need to know the challenge and the password already. How do you generate your initial password for a new user safely, without a third party listening in on this?

Even more important (I think), how do you store it? In order for this to work correctly, it seems that you need to store the password as is. Or do you encrypt/decrypt the password on the server side?